Permissions
The permission system controls what tools the AI agent can invoke, requiring explicit user approval for potentially destructive operations while auto-approving safe read-only actions.
Permission System
Every tool invocation passes through a permission check before execution. The permission system evaluates the tool name and its arguments against a set of rules to determine one of three outcomes:
- Allow -- the tool executes immediately without user interaction
- Ask -- the user is prompted to approve or deny the tool call
- Deny -- the tool call is blocked outright
Default Permissions
The following table shows the default permission for each tool category. These defaults apply in chat mode. The do mode overrides are described below.
| Tool | Default | Rationale |
|---|---|---|
| read_file | Allow | Reading files is non-destructive |
| write_file | Ask | Writing modifies the filesystem |
| run_command | Ask | Commands can have side effects |
| search_files | Allow | Search is read-only |
| list_directory | Allow | Directory listing is read-only |
| browser_navigate | Allow | Navigation is non-destructive |
| browser_click | Ask | Clicks can trigger actions on external sites |
| browser_evaluate | Ask | Executes arbitrary JavaScript |
Permission Prompts
When a tool call requires approval (permission = "Ask"), the CLI displays a permission prompt showing:
- The tool name being invoked
- The arguments the model wants to pass
- A preview of the operation (e.g., file path, command to run)
The user can respond with:
- Yes (y) -- approve this specific tool call
- No (n) -- deny this tool call (the model receives the denial and can try an alternative)
- Always -- approve this tool for the remainder of the session
The "Always" option avoids repeated prompts for the same tool type during long sessions.
Do Mode Auto-Approve
In do mode (autonomous task execution), safe tools are auto-approved to enable fluent agent loops. The model can read files, search directories, navigate browsers, and take screenshots without prompting the user.
Destructive operations -- file writes, command execution, JavaScript evaluation -- still require user approval even in do mode. This provides a balance between autonomy and safety.
CAS Resolution
When multiple tool calls arrive concurrently (e.g., the model requests several file reads simultaneously), there is a race condition risk where one permission check might interfere with another. Opta resolves this using a CAS (Compare-And-Swap) mechanism that serializes permission decisions per session.
This ensures that each permission prompt is presented and resolved independently, even when the model requests parallel tool invocations.
S01: Permission Check Rule
Rule S01 in the Strict tier mandates that every tool invocation must pass through the permission check pipeline. No tool can bypass the permission system, even internal or system-level tools. This rule is enforced at the daemon level and cannot be disabled by configuration.